Additional Materials:

Contact:

The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives' Information Security Oversight Office (ISOO) assesses agencies' classification management programs, and in July 2004 and April 2005 recommended changes to correct problems at the Justice Department (DOJ) and Federal Bureau of Investigation (FBI). GAO was asked to examine (1) DOJ's and FBI's progress in implementing the recommendations and (2) the management controls DOJ components have to ensure the proper use of sensitive but unclassified designations. GAO reviewed ISOO's reports and agency documentation on changes implemented and controls in place, and interviewed security program managers at DOJ, its components, and ISOO to examine these issues.

At the time of GAO's review, DOJ and FBI had made progress implementing ISOO's recommendations aimed at correcting deficiencies in their programs to properly classify information. FBI had taken action on 11 of 12 recommendations, including issuing security regulations governing its program and updating most of the classification guides that employees use to help them decide what information should be classified. FBI is also correcting deficiencies in its training and oversight activities. If FBI completes all recommendations, this will help to lower program risk since it makes 98 percent of DOJ's classification decisions. DOJ had taken action on 5 of 10 recommendations, including fixing problems with outdated and insufficient training and insufficient monitoring of components' programs. DOJ, however, has taken no action on the most important recommendation, addressing its staff shortages, which continue to place its program at risk given that it sets policy, provides training, and oversees classification practices departmentwide. DOJ said it did not have staff resources to address other shortcomings in its training and oversight activities that ISOO recommended it correct. DOJ is trying to address its resource constraints, a long-standing problem that GAO identified as early as 1993, by requesting additional funds from an administrative account in fiscal year 2007. However, DOJ does not know the optimum number of staff it needs for the program because it has not assessed its needs. It also does not have a strategy that identifies how it will use additional resources to address remaining deficiencies so as to reduce the highest program risks, such as whether to first address training, oversight, or other program gaps. For sensitive but unclassified information, the five components in our review--Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal Division; Drug Enforcement Administration; FBI; and U.S. Marshals Service--had orders and directives that identified and defined the various designations components were using, such as Law Enforcement Sensitive, to protect information, such as information critical to a criminal prosecution. But the components did not have specific guides, with examples, to help employees decide whether information merits a sensitive but unclassified designation. Furthermore, none of the components had training to help employees make these decisions or oversight of their designation practices. Without these controls, DOJ cannot reasonably ensure that information is properly restricted or disclosed and that designations are consistently applied. GAO recently identified similar problems at several other agencies and recommended that they implement such controls, and the agencies agreed to do so. According to security officials, DOJ is waiting for the results of an interagency working group established to set governmentwide standards for sensitive but unclassified information before considering additional changes in its sensitive but unclassified practices or those of its components. The final results from the working group are due by the end of December 2006. Once standardization is realized, it is important for DOJ to ensure that sensitive but unclassified practices across the agency provide employees with the tools they need to apply designations appropriately.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not provided its components (e.g., Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal Division; Drug Enforcement Administration; Federal Bureau of Investigation; and U.S. Marshals Service) with training to ensure that all employees authorized to make sensitive but unclassified designations have the necessary training before they can designate documents. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In June 2011, NARA issued initial implementation guidance for the executive order, which provides minimum standards for education and training. DOJ has 180 days from the issuance date (until December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that NARA has provided a baseline training module on CUI (which is also available on NARA's website) that will be rolled out to DOJ officials before the end of August 2011. This training module will be an introduction to CUI guidance and implementation. He noted that DOJ has an existing training module (Control and Protection of Limited Official Use Information under DOJ order 2620.7) that the department is modifying to provide more detailed training to department employees on CUI designations. DOJ officials added that other training could include powerpoint briefings, computer-based training, and live presentations provided to Security Programs Managers and posted to a security office webpage. These actions substantially meet the intent of our recommendation and it is closed as implemented.

Recommendation: In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components ensure that all employees authorized to make the designations have the necessary training before they can designate documents.

Agency Affected: Department of Justice

Status: Closed - Implemented

Comments: The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not provided its components (e.g., Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal Division; Drug Enforcement Administration; Federal Bureau of Investigation; and U.S. Marshals Service) with guidance for applying the designations they will use. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In April 2011, DOJ provided NARA with recommendations for proposed CUI categories and subcategories, marking, safeguarding, and dissemination requirements. In June 2011, NARA issued implementation guidance for the executive order, which allowed DOJ to move forward. DOJ has 180 days from the issuance date (December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that the department has drafted a framework to provide specific guidance to components on the department's CUI program, including application of designations. He noted that this framework will serve as DOJ's "one-stop-shop" for internal guidance related to the application of CUI designations and that the department has reserved Chapter 16 of its Security Program Operating Manual for this guidance. He added that the framework document is currently undergoing internal DOJ review and will then be sent to department components. Finally, he noted that DOJ's guidance cannot be finalized until NARA provides additional implementation guidance over the next several months, but that he does not forsee any obstacles to DOJ finalizing its guidance before NARA's December 2011 deadline. These actions meet the intent of our recommendation and it is closed as implemented.

Recommendation: In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components establish specific guidance for applying the designations they will use.

Agency Affected: Department of Justice

Status: Closed - Implemented

Comments: Security and Emergency Planning Staff (SEPS) issued a memorandum on July 28, 2009 outlining a reorganization plan to address deficiencies pointed out by the National Archives' Information Security Oversight Office, as well as recommendations made in GAO's report. The plan delineates a structured approach for SEPS staff to use in managing classified information and meeting requirements for inspections, training, and other related functions. This plan meets the intent of our recommendation and as a result the recommendation is closed as implemented.

Recommendation: To strengthen DOJ's management of classified information, the Attorney General should direct the SEPS director to devise a strategy for making resources available and for using them most effectively to address remaining deficiencies in ways that reduce the most risk to proper management of classified information, such as determining whether to address training, oversight, or other program deficiencies first.

Agency Affected: Department of Justice

Status: Closed - Implemented

Comments: Security and Emergency Planning Staff issued a memorandum on July 28,2009, outlining a reorganization plan to address deficiencies pointed out by the National Archives' Information Security Oversight Office, as well as recommendations made in GAO's report. The plan details the resources necessary to enhance the management of sensitive information, including roles and responsibilities for relevant staff members in areas such as training and inspections. This action is responsive to our recommendation and as a result the recommendation is closed as implemented.

Recommendation: To strengthen DOJ's management of classified information, the Attorney General should direct the security and emergency planning staff (SEPS) director to determine the resource level needed to ensure that it can effectively carry out the office's responsibilities, including full implementation of the ISOO recommendations.

Agency Affected: Department of Justice

Status: Closed - Implemented

Comments: The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not set internal controls for overseeing sensitive but unclassified designations to help ensure that they are properly applied. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In June 2011, NARA issued initial implementation guidance for the executive order, which requires agencies to create a self-inspection program that adheres to the principles and requirements of the executive order and implementation guidance. DOJ has 180 days from the issuance date (until December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that compliance with the new standards and policies will be achieved through the DOJ Security Program Operating Manual self-inspection program and the DOJ Compliance Review Team. He noted that the Compliance Review Team currently provides oversight of all DOJ security-related activities and will be responsible for ensuring that DOJ components comply with the principles and requirements of CUI guidance during the initial roll out. He added that DOJ's existing self-inspection checklist, currently in place for Limited Official Use designations, will be revised to reflect the new CUI guidance. The checklist will include information on whether DOJ components have conducted CUI training and if officials are familiar with the CUI designation registry, among other things. The checklist will be administered by each component's security office and be an integral part of the Compliance Review Team's annual inspection process. The CUI self inspection program will be similar to the existing self inspection program that is used to monitor and oversee the designation of classified information. These actions meet the intent of the recommendation and it is closed as implemented.

Recommendation: In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components set internal controls for overseeing sensitive but unclassified designations to help ensure that they are properly applied.